SIG: ET TROJAN Atomic macOS (AMOS) Stealer JoinSystem

Rule Signatures
1

You can see this request on page 8 of the referenced report. Now sig 2045215 covers sendlog URI of this which may be the same aside from that it has a URI match for sendlog which is the other beacon but also only a B64= match but for the same content.

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN Atomic macOS (AMOS) Stealer JoinSystem”; flow:established,to_server; content; content:“POST”; http_method; content:“/joinsystem”; http_uri; fast_pattern:only; content:“BuildId=”; http_client_body; depth:8; content:“&user=”; http_client_body; distance:0; content:“&B64=”; http_client_body; distance:0; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2024-0514.pdf; sid:151211; rev:1;)

2 Likes
2

hey @kevross33 thanks for the tip! We’ll take a look and get this in today. :sunglasses:

Isaac

1 Like
3

The sid for your rule is 2052602 - ET MALWARE AMOS CnC Exfiltration - /joinsystem (POST)

I also got the following related signatures in today’s release as well.

  2052582 - ET MALWARE DNS Query to AMOS Related Domain (iina-app .lat)
  2052583 - ET MALWARE DNS Query to AMOS Related Domain (lightpillar .lat)
  2052584 - ET MALWARE DNS Query to AMOS Related Domain (setapp .ink)
  2052585 - ET MALWARE DNS Query to AMOS Related Domain (cleanshot .ink)
  2052586 - ET MALWARE DNS Query to AMOS Related Domain (figma .lat)
  2052587 - ET MALWARE DNS Query to AMOS Related Domain (aptonic .xyz)
  2052588 - ET MALWARE DNS Query to AMOS Related Domain (sipapp .lat)
  2052589 - ET MALWARE DNS Query to AMOS Related Domain (password-app .pro)
  2052590 - ET MALWARE DNS Query to AMOS Related Domain (macbartender .lat)
  2052591 - ET MALWARE DNS Query to AMOS Related Domain (pixelmator .us)
  2052592 - ET MALWARE DNS Query to AMOS Related Domain (skylum .store)
  2052593 - ET MALWARE DNS Query to AMOS Related Domain (rize .lat)
  2052594 - ET MALWARE DNS Query to DarkComet RAT Domain (servicescraft .buzz)
  2052595 - ET MALWARE DNS Query to DarkComet RAT Domain (ultradelux .buzz)
  2052596 - ET MALWARE DNS Query to DarkComet RAT Domain (dekabristiney .fvds .ru)
  2052597 - ET MALWARE DNS Query to DarkComet RAT Domain (patrikbob100 .fvds .ru)
  2052598 - ET MALWARE Observed DarkComet RAT Domain (ultradelux .buzz in TLS SNI)
  2052599 - ET MALWARE Observed DarkComet RAT Domain (servicescraft .buzz in TLS SNI)
  2052600 - ET MALWARE Observed DarkComet RAT Domain (dekabristiney .fvds .ru in TLS SNI)
  2052601 - ET MALWARE Observed DarkComet RAT Domain (patrikbob100 .fvds .ru in TLS SNI)
  2052603 - ET MALWARE AMOS CnC Exfiltration - /sendlog (POST)
  2052604 - ET MALWARE AMOS CnC Exfiltration - /p2p (POST) M1
  2052605 - ET MALWARE AMOS CnC Exfiltration - /p2p (POST) M2
2 Likes
4

Thanks @kevross33 @ishaughnessy !